RobinHerbots Inputmask
- <= 5.0.9
A prototype pollution vulnerability has been identified in RobinHerbots Inputmask versions through 5.0.9. The issue arises in the internal deep merge helper function, which is part of the library's dependency management. The vulnerability allows for uncontrolled modification of object prototype attributes, potentially leading to malicious exploitation from remote sources.
Exploitation of this vulnerability allows for prototype pollution, where an attacker can inject properties into the Object.prototype. This can disrupt application logic, cause denial-of-service conditions, create confusion between options and defaults, or bypass mechanisms that rely on standard object property lookups.
The vulnerability can be reproduced by calling the 'extendDefaults()' method with an object that includes a '__proto__' property. This will result in the injected property being added to the Object.prototype, allowing for the pollution to be observed.
To address this vulnerability, it is recommended to reject any objects that attempt to perform prototype pollution before they are processed. Additionally, the deep merge function should be modified to only iterate over own enumerable properties, and to use 'Object.create(null)' for dynamic merge maps where suitable.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.